1ipa-ca-install(1) IPA Manual Pages ipa-ca-install(1)
2
6 ipa-ca-install - Install a CA on a server
7
9 DOMAIN LEVEL 0
10 ipa-ca-install [OPTION]... [replica_file]
11 DOMAIN LEVEL 1
13 ipa-ca-install [OPTION]...
14
16 Adds a CA as an IPA-managed service. This requires that the IPA server
17 is already installed and configured.
18 In a domain at domain level 0, you can run ipa-ca-install without
20 replica_file to upgrade from CA-less to CA-full, or with replica_file
21 to install the CA service on the replica.
22 The replica_file is created using the ipa-replica-prepare utility and
24 should be the same one used when originally installing the replica.
25 In a domain at domain level 1, ipa-ca-install can be used to upgrade
27 from CA-less to CA-full or to install the CA service on a replica, and
28 does not require any replica file.
29
31 -d, --debug Enable debug logging when more verbose output is needed
32 -p DM_PASSWORD, --password=DM_PASSWORD
34 Directory Manager (existing master) password
35 -w ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
37 Admin user Kerberos password used for connection check
38 --external-ca
40 Generate a CSR for the IPA CA certificate to be signed by an
41 external CA.
42 --external-ca-type=TYPE
44 Type of the external CA. Possible values are "generic", "ms-cs".
45 Default value is "generic". Use "ms-cs" to include the template
46 name required by Microsoft Certificate Services (MS CS) in the
47 generated CSR (see --external-ca-profile for full details).
48 --external-ca-profile=PROFILE_SPEC
51 Specify the certificate profile or template to use at the exter‐
52 nal CA.
53 When --external-ca-type is "ms-cs" the following specifiers may
55 be used:
56 <oid>:<majorVersion>[:<minorVersion>]
59 Specify a certificate template by OID and major version,
60 optionally also specifying minor version.
61 <name> Specify a certificate template by name. The name cannot
63 contain any : characters and cannot be an OID (otherwise
64 the OID-based template specifier syntax takes prece‐
65 dence).
66 default
68 If no template is specified, the template name "SubCA" is
69 used.
70 --external-cert-file=FILE
73 File containing the IPA CA certificate and the external CA cer‐
74 tificate chain. The file is accepted in PEM and DER certificate
75 and PKCS#7 certificate chain formats. This option may be used
76 multiple times.
77 --ca-subject=SUBJECT
79 The CA certificate subject DN (default CN=Certificate Author‐
80 ity,O=REALM.NAME). RDNs are in LDAP order (most specific RDN
81 first).
82 --subject-base=SUBJECT
84 The subject base for certificates issued by IPA (default
85 O=REALM.NAME). RDNs are in LDAP order (most specific RDN
86 first).
87 --ca-signing-algorithm=ALGORITHM
89 Signing algorithm of the IPA CA certificate. Possible values are
90 SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is
91 SHA256withRSA. Use this option with --external-ca if the exter‐
92 nal CA does not support the default signing algorithm.
93 --no-host-dns
95 Do not use DNS for hostname lookup during installation
96 --skip-conncheck
98 Skip connection check to remote master
99 --skip-schema-check
101 Skip check for updated CA DS schema on the remote master
102 -U, --unattended
104 An unattended installation that will never prompt for user input
105
107 0 if the command was successful
108 1 if an error occurred
110IPA Mar 30 2017 ipa-ca-install(1)